Authentication type (ldap, users, etc) per client or user?
falz
me at falz.net
Fri Jan 4 00:46:09 CET 2008
On Jan 3, 2008 3:45 PM, Alan DeKok <aland at deployingradius.com> wrote:
> If you want to use one OR the other, try the following:
>
> authorize {
> ...
> group {
> files {
> ok = return
> }
> ldap
> }
> ...
> }
>
> i.e. if an entry is found in the "users" file, then don't do LDAP. If
> no entry is found in the "users" file, do LDAP.
This would technically get things working, but poses a security issue.
I want to have clients associated with backends. The above example
appears that it will simply give priority of one authentication source
over the other, which isn't what I'm trying to do.
> Of course, in 2.0, you could just have a virtual server for client A,
> and a different virtual server for client B.
I'll look into 2.0 if this is the only way to get this functionality.
> Because that's what you've configured it to do. In this case, the
> debug output shows that it's not calling the "files" module. So you've
> edited the default configuration so that the "files" module isn't
> called... and yet you say you want it to call the "files" module.
No, I did not remove the files section. It is called, and loaded per
my output in the previous email. Both are listed, but nothing in the
config points a client to an auth method, because I don't know the
syntax for this, or it's not possible.
> What's wrong with the default configuration file that ships with the
> server?
I don't believe I said anything is. I simply don't know its syntax
well enough to know what to put in, or it's not possible.
> You can copy & paste an example that doesn't apply to what you want to
> do, or you can understand how the server works. In this case, reading
> the files in the "doc" directory would help. They explain *how* those
> examples are configured, and *why* they work.
Looking through the docs, it appears that Autz-Type gives indications
of what I am trying to do:
http://www.freeradius.org/radiusd/doc/Autz-Type
I will experiment with it and some syntax, and chime back in when I
get things working for future reference for other users (and for me,
if I neglect to document it myself :)
--falz
More information about the Freeradius-Users
mailing list